HTTP cookies FAQs. All you need to know about the HTTP cookies

After publishing the article “I have accepted all cookies, am I in trouble?” we received many questions related to HTTP cookies. And not only do we understand your curiosity, but we support it! Security on the Internet is the main concern for everybody, and in recent years, you see HTTP cookies on almost every website you visit.

That’s why we prepared this article with everything you need to know about HTTP cookies. Understanding more about them, their purpose, and risks is the first step to be protected.

Why are websites asking about cookies all the time?

Websites are asking you about cookies to comply with the law. It’s not something new but in recent years, the law is pushing websites strongly to respect the rules, to protect users’ privacy, and sensitive data. There are different laws and entities in charge of supervising these matters in every country. But let’s say that the European GDPR is the toughest law worldwide.

Based on the fact that HTTP cookies are used to collect users’ data, the objective of the law is to protect users’ privacy and sensitive information. Companies are obliged to obtain your explicit consent to collect the data you generate while visiting their websites.

If the websites collect your data without your prior acceptance or don’t comply with the security standards, they are violating the law and can receive very harsh penalties, like expensive fines.

What is GDPR?

The GDPR is the General Data Protection Regulation. It was designed and approved by the European Union (EU) as a means to impose obligations to organizations worldwide to protect the privacy and data of people in the EU. This regulation is working since May 25th, 2018. It has taken time for websites to adjust to the regulation but every day, more and more sites are aligned with its specifications. If they don’t comply, they can’t target Europe as a market. And if they do without complying, penalties can be harsh and estimated at millions of euros.

Do I need a cookie warning on my website?

Yes, you need to add an HTTP cookie warning or HTTP cookie policy on your website to comply with the current regulations. The GDPR and other laws oblige websites to disclose to the visitors the types of data they collect from them, the types of cookies they use, and what are they going to do with the data. Without explaining this and getting users’ explicit permission for you to collect their data by cookies on their devices, you are violating the law and could get a fine.

Every time we have to add or modify something to comply with new regulations, it can feel annoying. It happens with the HTTP cookies for both sides, website owners and users. But the truth is that frequently, regulation appears as a need after abuses have been perpetrated. Considering the current dangerous environment on the Internet, adding the HTTP cookie policy to your website improves transparency and should build trust between your website and users.

Just like security signs on websites (the padlock, and SSL certificate) are important for users to make transactions online, if your potential clients see the cookie policy, they will see you are transparently informing your purposes. They won’t feel cheated, because you are not doing so without asking their permission.

Do I have to accept HTTP cookies?

No, you don’t have to accept the HTTP cookies. The law (GDPR, for instance) was created exactly to protect users. It’s your right to have control over your browsing history and personal, sensitive data. To share your data is up to you.

What happens if you don’t accept HTTP cookies?

If you don’t accept HTTP cookies nothing bad happens. You are exercising a fair right to protect your privacy and personal data. The control over such data is and must be yours.

When you decline the HTTP cookies the only side effects could be that the websites don’t allow you access so you will have to look for what you wanted somewhere else. Or you will access but won’t have an optimized user experience on that website. This means, the site won’t remember you, therefore authentication for accessing will go from zero every time. The site also won’t remember your preferences, previous purchases, and personal data so you will have to define them (language, theme, currency, login data, etc.) or fill the formats every time you access it.

If the security of your privacy and data is a priority for you, rejecting the HTTP cookies has the total sense to prevent any data collection.

What is the legitimate interest (HTTP cookies)?

Legitimate interest is a legal concept subject to interpretations and therefore, sometimes blurry. Let’s explain it based on the GDPR, in the context of HTTP cookie use.

To process users’ data under legitimate interest means that such action is absolutely necessary. Let’s understand data processing as the collection of data to translate them into information that can be used.
But the law clearly establishes that if there’s an alternative to reach the same purpose without processing the personal data of users, then to do it is not legal without explicit permission or consent.

And even when companies consider data processing necessary, they must always weigh their need against the importance of the users’ fundamental rights and freedom. The GDPR looks at protecting users’ rights and freedom as a priority.

Legitimate interest when using HTTP cookies, implying their use without the need of the users’ consent, works in cases of security threats, fraud prevention, menaces to public security, networks, and information protection, or information absolutely required by a provider to act. Companies must provide proof, and documents to work under the legitimate interest concept.

Let’s see a case. Getting stuck to the GDPR, marketing HTTP cookies, first or third-party, can not be considered in the legitimate interest section. For this purpose, companies are obliged to get users’ consent for processing their data. To do it without explicit users’ permission is not legal. Companies processing users’ data without their consent for Marketing (or other) purposes not justified by the legitimate interest law section, could not rely on this concept (legitimate interest) to defend themselves legally.

What’s the difference between first-party and third-party HTTP cookies?

To know where the HTTP cookies come from is important because this is very related to the purposes they are used for.

First-party cookies are created by the website you visit. Frequently their purpose is to optimize the functionality of the website. They can be considered safer when we talk about trustable websites.

The third-party cookies are not created by the website you surf in. They belong to a different one that creates HTTP cookies with a variety of purposes. For instance, tracking the users’ browsing behavior. Or they may belong to brands whose ads are linked to the site you are in. Frequently, there are analytics agencies or advertisers behind these third-party cookies. Creating clients’ profiles with commercial objectives through their browsing histories or monitoring the users’ interaction with their ads are a couple of possibilities.

It’s possible to download the HTTP cookies of the ads inserted on a webpage even without clicking on those ads. Web pages full of ads are not hard to find. And that can mean at least a third-party cookie per ad downloaded on your browsing device.

When you should not accept HTTP cookies?

Yes, there are some specific cases where directly accepting HTTP cookies can mean risks for you.

• Visiting unencrypted websites. A website that doesn’t offer you security in terms of encryption (SSL certificate) is not safe from the beginning. Be sure you see HTTPS and not only HTTP and look for the padlock icon next to the website address. If the site doesn’t offer security, better reject the HTTP cookies.
• Entering private information. When you have to share important data with a website to achieve a goal (pay your purchases or taxes or make transfers from your online bank) it’s safer not to accept HTTP cookies. This is the type of information that criminals are looking for to commit fraud or identity theft. They can intercept the cookies to get your sensitive information.
• Third-party cookies. This type of HTTP cookie doesn’t belong to the website you are visiting and that represents a vulnerability for you. Frequently such cookies track your browsing history (behavior) and this can be sold to whoever pays for it.
• Flagged cookies. Through antivirus software, you can detect suspicious HTTP cookies. Don’t neglect the warning of your antivirus. Reject suspicious cookies or remove them if they are already on your device.

How to delete HTTP cookies on my devices?

In case you accepted the HTTP cookies of a website, you can delete them from your browser. Regular HTTP cookies can be cleared following the next steps. Just remember some cookies harder to remove than others, like the zombie cookies we described in our previous article “I have accepted all cookies, am I in trouble?”.

To purge your browser from time to time is good practice. Besides security, storing more and more HTTP cookies in your browser can slow down your devices over time.

Cleaning HTTP cookies on Microsoft Edge

Microsoft Edge offers you the choice to clear individual cookies or all of them in one go.
• Click on the menu and go to Microsoft Edge settings.
• Click on Cookies and site permissions.
• Click on Manage and delete cookies and site data.
• Click on See all cookies and site data.
• Now you can see each individual cookie. You can delete all HTTP cookies by clicking Remove all, you can delete only the third-party ones by clicking on Remove third party cookies or delete individual cookie from the list below.
You can go directly to edge://settings/siteData.

Cleaning HTTP cookies on Google Chrome

Google Chrome has the choice to clear individual HTTP cookies or the complete site data.
• Click on the Chrome’s menu and search for the settings.
• Click on Privacy & Security
• Click on Cookies and other site data.
• There, locate See all cookies and site data and click on it.
• There you can delete all cookies by pressing Remove All or delete just the cookies you want.
You can go directly chrome://settings/siteData.

Cleaning HTTP cookies on Safari

Safari allows you to clear existing HTTP cookies and you can change your preferences too, by setting up which cookies you will accept in the future.
• Look for the Safari menu.
• Click on Preferences.
• Pick privacy and manage website data.
• Pick the cookies you want to remove or remove all.

Cleaning HTTP cookies on Firefox

Using Firefox you can clear individual HTTP cookies, multiple ones, or all saved HTTP cookies. It’s up to you.
• Look for the Firefox menu.
• Click on Preferences.
• Click on privacy and security.
• Go to cookies and site data and pick manage data.
• Choose which cookies to remove or click on remove them all.
• Click on save changes.

Where are HTTP cookies stored?

Some HTTP cookies are stored in the memory, which gets cleared when you close the browser (session cookies). But others are stored on your device’s storage.

How much space do HTTP cookies take?

An HTTP cookie is small, frequently less than a megabyte (MB). But every website uses more than one cookie. If you multiply the number of websites you visit every day these start to add up and you will have a lot of data stored (HTTP cookies). When they are many, between them and the cache, it can take up significant space on your device.

Conclusion

Now you are prepared to deal with HTTP cookies. It’s a trendy topic, present in your daily life, as a user and as a website owner. It involves technical, ethical, and legal aspects you must comply with.

Users also must get that they have an important role when it comes to protecting and controlling the sharing of their personal and sensitive information online. Cyber security is a shared responsibility!

Sources:

Data protection in the EU
What is GDPR Legitimate Interest?